#!/bin/bash
# 支持 openssl 1.1.x

rm -rf CA_certificate.crt CA_certificate.srl CA_private.key private.crt private.csr private.ext private.key
cip=$1
openssl req -x509 -nodes -days 3560 -newkey rsa:2048 -subj "/C=CN/ST=BJ/L=BJ/O=LK" -keyout  CA_private.key -out CA_certificate.crt -reqexts v3_req -extensions v3_ca
openssl genrsa -out private.key 2048
openssl req -new -key private.key -subj "/C=CN/ST=BJ/L=BJ/O=LK/CN=$cip" -sha256 -out private.csr

cat <<EOF > private.ext
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san

[ req_distinguished_name ]
contryName = CN
stateOrProvinceName = bj
localityName = bj
organizationName = bj

[ san ]
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
keyUsage = digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = IP:$cip
EOF

openssl x509 -req -days 3650 -in private.csr -CA CA_certificate.crt -CAkey CA_private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions san